NSW government agencies with cyber risks outside acceptable levels have not set deadlines to rein them in, according to an analysis by the state’s auditor.
More than a dozen agencies had open-ended timeframes to resolve their self-assessed elevated risk profiles.
A handful of agencies had not funded cyber security improvements or implemented training.
Meanwhile, staff deemed at “high risk” had not been provided additional cyber security awareness training.
The findings come from an annual audit [pdf] of IT and other controls in place at dozens of NSW government agencies, which regularly picks up control deficiencies.
The audit forms part of NSW’s cyber security policy, which took effect in 2019, replacing the digital information security policy.
The policy requires the agency head to demonstrate how the agency has assessed and managed cyber risks every year.
The majority of agencies investigated as part of the audit had assessed their cyber security risks to be above their own risk appetites.
“Despite similar frameworks, agencies have taken different interpretations of how to define and record risks,” the report added.
“While some variance would be expected due to the size and complexity of agencies, risk registers ought to be at a level that informs and supports decision making rather than simply a list of all known vulnerabilities or potential incidents and causes of incidents.”
Funding an issue
As of June 2023, none of the agencies examined had met their target level of maturity against either the Essential Eight or the state-drafted cyber security policy.
One agency, described as employing over 20,000 staff and bringing “important services to the public”, has a cyber uplift plan but no funding to implement it.
Seventeen (17) agencies were said to have current cyber security remediation plans which are expected to complete between December 2024 and June 2027.
Funding for cyber security operations, including governance, operations and investigations, ranged from $250,000 to $47.3 million for individual agencies.
Meanwhile, agencies that have funding allocated are spending between $100,000 to $49 million on their uplift programs.
As reported by iTnews, the audit also uncovered gaps in NSW agencies’ management of privileged access.